Jump to content
  • HTML injections in dedicated server properties



    I'm trying to inject various things in the dedicated server properties to ensure security in my server tracker crawler/web pages. (https://7daystodie.online)

    Game Version: Alpha.20.7.1

    Platform:  Steam

    OS/Version: Linux

    CPU Model: Ryzen 5 2600

    Game mode: Dedicated server


    Did you wipe old saves? Yes

    Did you start a new game? Yes

    Did you validate your files? Yes

    Are you using any mods? No

    EAC on or off? ON


    Status: NEW


    Bug Description:


    While trying XSS injections, the dedi refused to boot with normal HTML tags inside the ServerDescription property.

    <property name="ServerDescription" value="<a href='/testxss.html' onload=alert('xss test')>xss test</a>" />
    2023-04-26T11:22:41 0.159 EXC '<', hexadecimal value 0x3C, is an invalid attribute character. Line 8, position 47.

    So this looks normal behavior.

    And I tried to convert in HTML Entities :


    <property name="ServerDescription" value="&#x3C;a href=&#x22;/testxss.html&#x22; onload=&#x22;alert(&#x27;xss test&#x27;)&#x22;&#x3E;xss test&#x3C;/a&#x3E;" />

    And this one worked, but the HTML Entities are computed to valid HTML tags by the dedicated server :
    Screenshot of telnet query uploaded with the post.
    You can also see the result in the tracker that have xss protections but it show a valid HTML tag :



    Detailed steps to reproduce the bug:


    1) Just use the ServerDescription property above with HTML Entities



    Expected result:

    I didn't digged in the dedi Assembly.dll yet, I have no visual studio setup at this time, and can't see if it's a normal behavior or not.
    I know there is some markup to colorize text, and this is our web dev responsibility to ensure injections will not happen, but the game should not compute such things like HTML Entities.
    This may be the door to other injections with c# or in-game things that I have not discovered/tried yet.

    Thank you in advance! 🍻


    User Feedback

    Recommended Comments

    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

  • Create New...